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Abstract. Efficient characteristic set methods for computing solutions of polynomial 
equation systems in a finite field are proposed. The concept of proper triangular sets is 
■ introduced and an explicit formula for the number of solutions of a proper and monic 

\ (or regular) triangular set is given. An improved zero decomposition algorithm which 

can be used to reduce the zero set of an equation system in general form to the union 
\ of zero sets of monic proper triangular sets is proposed. As a consequence, we can 

give an explicit formula for the number of solutions of an equation system. Bitsize 
complexity for the algorithm is given in the case of Boolean polynomials. We also give a 
multiplication free characteristic set method for Boolean polynomials, where the sizes of 
' the polynomials are effectively controlled. The algorithms are implemented in the case 

of Boolean polynomials and extensive experiments show that they are quite efficient for 
solving certain classes of Boolean equations. 
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1. Introduction 



Solving polynomial equations in finite fields plays a fundamental role in many important 
fields such as coding theory, cryptology, and analysis of computer hardware. To find efficient 
algorithms to solve such equations is a central issue both in mathematics and in computer 
science (see Problem 3 in [39] and Section 8 of [13]). Efficient algebraic algorithms for 
solving equations in finite fields have been developed, such as the Grobner basis methods 
[2, 6, 16, 17, 19, 25, 22, 38] and the XL algorithm and its improved versions [14]. 

The characteristic set (CS) method is a tool for studying polynomial, algebraic dif- 
ferential, and algebraic difference equation systems [1, 4, 5, 9, 10, 15, 20, 21, 23, 24, 26, 28, 
29, 30, 34, 40, 41, 43]. The idea of the method is reducing equation systems in general form 
to equation systems in the form of triangular sets. With this method, solving an equation 
system can be reduced to solving univariate equations in cascaded form. In the case of finite 
fields, univariate equations can be solved with Berlekamp's algorithm [31]. The CS method 
can also be used to compute the dimension, the degree, and the order for an equation system, 
to solve the radical ideal membership problem, and to prove theorems from elementary and 
differential geometries [42]. 
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In most existing work on CS methods, the zeros of the equations are taken in an alge- 
braically closed field which is infinite. These methods can also be used to solve equations 
in finite fields. But, they do not take into the account of the special properties of the finite 
fields and thus are not efficient for solving equations in finite fields. In this paper, we propose 
efficient CS methods to solve equations in the general finite field F g with q elements. More 
precisely, we will develop efficient CS algorithms for polynomial systems in the ring 

R q = W q [x 1 ,...,x n ]/(W) 

where H = {x\ — x±, . . . ,4 — x n }. Due to the special property of M. q , the proposed CS 
methods are more efficient and have better properties than the general CS method. 

A triangular set may have no solutions in a finite field. For instance, x 2 + 1 = has no 
solution in the finite field F3. To avoid this problem, we introduce the concept of proper 
triangular sets and prove that proper triangular sets are square-free. We also give an explicit 
formula for the number of solutions of a monic and proper triangular set. We modify the 
definition of regular triangular sets [1, 5, 43] in R g and give an exact upper bound for the 
number of solutions of a regular and proper triangular set. 

We propose an improved zero decomposition algorithm which allows us to decompose 
the zero set of a polynomial equation system in M 9 as the disjoint union of the zero sets of 
proper and monic triangular sets. As a consequence, we can give an explicit formula for the 
number of solutions of the equation system. We prove that our elimination procedure to 
compute a triangular set needs a polynomial number of polynomial multiplications, which is 
not valid for the general CS method. 

An element in M2 is called a Boolean polynomial. Solving Boolean polynomial systems is 
especially important and more methods are available. This paper will focus on CS methods. 
We show that for Boolean polynomial equations, the CS method proposed in this paper and 
that proposed in [8] for Boolean polynomials could be further improved. First, we give a 
bitsize complexity for the zero decomposition algorithm proposed in this paper. This is the 
first complexity analysis for the zero decomposition algorithm. The results in [20] are only 
for the procedure to compute one CS, which is called the well-ordering procedure by Wu 
[41]. 

We also present a multiplication- free CS algorithm in R2, where the size of the polynomi- 
als occurring in the well-ordering procedure is bounded by the size of the input polynomial 
system and the worst case bitsize complexity of the algorithm is roughly 0{n d ), where n 
is the number of indeterminates and d the degree of the input polynomials. This result is 
surprising, because repeated additions of polynomials can also generate polynomials of expo- 
nential sizes. In the general CS method, the size of the polynomials is exponential [20]. Our 
result also means that for a small d, the well-ordering procedure is a polynomial-time algo- 
rithm in n. The bottle neck problem of intermediate expression swell is effectively avoided 
for certain classes of problems due to the low complexity of the well-ordering procedure and 
the usage of SZDD [33]. Our experimental results also support this observation. 

The algorithms are implemented in the case of Boolean polynomials. We conduct ex- 
tensive experiments of our methods for three kinds of polynomial systems. These systems 
are generated in totally different ways, but they all have the block triangular structure. By 
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block triangular structure, we mean that the polynomial set can be divided into disjoint sets 
such that each set consists of polynomials with the same leading variable and different sets 
have different leading variables. Polynomial sets generated in many classes of stream ciphers 
are in triangular block form. The experiments show that our improved algorithm is very 
effective for solving these polynomial equations comparing to existing methods. We do not 
claim that our algorithm is faster in all cases. For instance, the first HFE Challenge, which 
was solved by the Grobner basis algorithm [18, 35], can not be solved by our algorithm. 

The rest of this paper is organized as follows. In Section 2, we introduce the notations. 
In Section 3, we prove properties for the proper triangular sets. In Section 4, we present the 
improved zero decomposition algorithm. In Section 5, we present a CS algorithm in I n 
Section 6, we present the experimental results. In Section 7, conclusions are presented. 

2. Notations and Preliminary Results 

Let p be a prime number and q = p k for a positive integer k. ¥ q denotes the finite 
field with q elements. For an algebraic equation, we will consider the problem of finding its 
solutions in ¥ q . Let X = {xi, . . . ,x n } be a set of indeterminates. Since we only consider 
solutions in ¥ q , we can work in the ring 

R q = F,[X]/(H) 

where 

M = {xf - xi,x% - x 2 ,. ■ ■ ,x q n - x n }. (1) 

When we want to emphasize the variables, we use the notation R 9 [xi, . . . , x n ] instead of R g . 
It is easy to see that M. q is not an integral domain. For any a G ¥ q , xi — a is a zero divisor 
in M. q . An element P in R q has the following canonical representation: 

P = a s M s + ■■■ + a M , on G ¥ q , (2) 

where Mj is a monomial and deg(Mj, Xj) < q — 1 for any j . We still call an element in M q a 
polynomial. In this paper, a polynomial is always in its canonical representation. 

Let P be a set of polynomials in M. q . We use ZerOg(P) to denote the common zeros of the 
polynomials in P in the affine space F™, that is, 

Zero g (P) = {(ai, . . . , a„), <n G ¥ q , s.t., VP G P, P(ai, . . . , a n ) = 0}. 

In this paper, when we say a variety in F", we mean ZerOg(P) for some P C K g [xi, . . . , x n ]. 
Let D be a polynomial in M q . We define a quasi variety to be 

Zero 9 (P/P>) = Zero 9 (P) \ Zero^D). 

Let P be a set of polynomials in ¥ q [X] . Denote the zeros of P in an algebraically closed 
extension of ¥ q as Zero(P). We use P to denote the image of P under the natural ring 
homomorphism: 

¥ q [X] R q . 

We will give some preliminary results about the polynomials in R q . 
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Lemma 2.1 Use the notations just introduced. We have Zero(PUH) = ZerOq(P), where M 
is defined in (1). 

Proof: Let P G P. By the definition, we have P = P + J2i Bi( x i ~ x i)-> where Bi are some 
polynomials. Note that any zero in Zerog(P) is also a zero of x\ — Xj. Then the formula to 
be proved is a direct consequence of the above relation between P and P. □ 

Lemma 2.2 Let P be a polynomial in R q . We have P q = P. 

Proof: Since x? = Xi, for any monomial m in W q we have m q = m. Let P = Y2i a i m i where 
mi are monomials and «j G ¥ q . Then P q = otim,i) q = J2i °4 m \ = Si a i m i = P. □ 

Lemma 2.3 Let I be a polynomial ideal in M. g . Then I is a radical ideal. 

Proof: For any / s 6 I with s an integer, there exists an integer k such that q + k(q — 1) > s. 
Then fsfi+Hq- 1 )-* = fg+Hi- 1 ) g /. By Lemma 2.2, fi+Hg- 1 ) = fifKi- 1 ) = fk(i- 1 )+ 1 = 
jq+(k-i)(q-i) _ . . . _ jq _ j xhus, we have f €. I, which implies that I is a radical ideal. □ 

Lemma 2.4 Let I be a polynomial ideal in R g . 

(1) I = (xo — ao, . . . ,x n — a n ) if and only if (cto, . . . , a n ) is the only solution of I. 

(2) I = (1) if and only if I has no solutions. 

Proof: If I = (xo — ao, . . . ,x n — a n ), it is easy to see that (ao, . . . ,a n ) is the only solution of 
I. Conversely, let (ao, . . . , a n ) be the only solution of I. By Lemma 2.1, we have x% — a% = 
on Zero(I U H) in F 9 [X], where H is defined in (1). By Hilbert's Nullstellensatz, there is an 
integer s such that (xi — aj) s is in the ideal generated by I U EI in F g [X]. Considering M. q , 
it means that (xj — ai) s is in I. By Lemma 2.3, I is a radical ideal in M q . Thus, 
in I. This prove (1). For (2), if I has no solution, we have Zero(I Ui) = 0. By Hilbert's 
Nullstellensatz, Ig(IUH). That is, 1 G I. □ 

Lemma 2.5 Let P G R q . Zem q {P) = F™ iff P = 0. Zero g (P) = iff P^ 1 -1 = 0. 

Proof: If P = 0, then Zero q (P) = F™. Conversely, we prove the result by induction on n. 
If n = 1, we consider the univariate polynomial P(x) G M. g . Suppose that P(x) / 0. Since 
deg(P, x) < q — 1, P has at most q — 1 solutions in F g , a contradiction. Now assume that 
the result has been proved for n = k. For n = k + 1, we have P(xi, . . . ,x n ) = foxl 1 + 
fiXn~ 2 + • • • + /g-i, where /j is a k-variable polynomial. By the induction hypothesis, if some 
fi is not 0, there exists an element (ai, a2, . . . , a^) in F^ such that fi(a±, . . . , a^) ^ 0. Then 
P(ai, . . . ,ak) is a nonzero polynomial whose degree in x^+i is less than q. Supposing ak+i 
is not the solution of P(ai, . . . , a^), (ai, . . . , a^ + i) is not the solution of P, a contradiction. 
Thus, we have fi = for all i. It means that P = 0, and the first result is proved. 

If ZerOq(P) = 0, then P / for any element in F™, which implies that P q ~ l — 1 = for 
any element in F™. Then pi^ 1 — 1 = 0. Conversely, suppose that there is an element a G F™ 
such that P(a) = 0, which is impossible since P q ~ l (a) — 1 ^ 0. Thus, Zeio q (P) = 0. □ 

As a consequence of Lemma 2.5, we have 
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Corollary 2.6 Let q = 2 and P £ R 2 \ F 2 . Then Zero 2 (P) ± 0. 

But when q > 2, the corollary is not correct. For example, considering M3, it is easy to 
see that Zero 3 (x 2 + 1) = 0. 



Lemma 2.7 Let U,V, and D be polynomials in R q . We have 

(Jjq-lyq-l _ 1) = (Jjq-1 _ ^ yq-1 _ !). ( 3 ) 

(ljq-lyq-1 _ jjq-\ _ yq-1) = yy (4) 

ZerOg(C/y) = ZerOg(f/) U Zero 9 (F). (5) 

Zerog(0/L>) = Zeio q {D q - 1 - 1). (6) 

ZerOg(P) = Zero g (P U {U}) U Zero 9 (P U {U^ 1 - 1}). (7) 



Proof: We have 

(pq-lyq-l _ J) = ([/5-ly9-l _ lj £^-1 _ X )) 

= (c/"- 1 ^- 1 - 1, u q - x v q - x - U q ~ l ) 

= (U^V"- 1 - 1, u q - x - 1) = (f/ 9 " 1 - 1, V q ~ x - 1). 
This proves (3). Equation (4) can be proved similarly: 

{Jjq-lyq-1 _ Jjq-1 _ yq-1) = ^q-lyq-1 _ jjq-1 _ yq-1 ^ y (jj q-lyq-l _ jjq-1 _ yq-lj) 

= (u^v 9 - 1 - u q - 1 - v q -\ U) = (U, V). 

Since ¥ q is a field, (5) is obvious. For any element a <G ¥ q , D(a) / means that D q ~ 1 {a) — 1 = 
0. Conversely, for any element a € F™, if D(a) = 0, we have D q ~ l {a) — 1^0. This proves 
(6). Since U{U q ~ l - 1) = 0, (7) is a consequence of (5). □ 

From (6) of Lemma 2.7, we can see that a quasi variety in ¥ q is also a variety. 

3. Proper Triangular Sets in R q 

In this section, we will introduce the concept of proper triangular sets for which we can 
give an explicit formula for its number of solutions. 

3.1 Triangular Sets 

Let P <G R q . The class of P, denoted by cls(P), is the largest c such that x c occurs 
in P. Then x c is called the leading variable of P, denoted as lvar(P). If P G ¥ q , we set 
cls(P) = 0. If cls(P) = c, let us regard P as a univariate polynomial in x c . We call deg(P, x c ) 
the degree of P, denoted as deg(P). The coefficient of P wrt x d c is called the initial of P, 
and is denoted by init(P). Then P can be represented uniquely as the following form: 

P = Ix d c + U (8) 

where / = init(P) and U is a polynomial with deg(U,x c ) < d. A polynomial P\ has higher 
ordering than a polynomial P 2 , denoted as P2 -< Pi, if cls(Pi) > cls(P2) or cls(Pi) = cls(P2) 
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and deg(Pi) > deg^)- If neither P\ -< P2 nor P2 -< Pi, they are said to have the same 
ordering, denoted as P\ ~ Pi- It is easy to see that -< is a partial order on the polynomials 
in R g . 

A sequence of nonzero polynomials 



is a triangular set if either r = 1 and A± ^ or < cls(Ai) < • • • < cls(^4 r ). A trivial 
triangular set is a polynomial set consisting of a nonzero element in ¥ q . For a triangular set 
A, we denote I_a to be the product of the initials of the polynomials in A. 

Let A' : A[,A' 2 ,..., A' r , and A" : A", A'^, ... , A",, be two triangular sets. A' is said to 
be of lower ordering than A", denoted as A' -< A", if either there is some k such that 



A[ ~ A", A' k _ x ~ A'l_ v while A' k -< Afc or r' > r" and A[ ~ A'/, . . . , 4,, ~ <„. We 



have the following basic property for triangular sets. 

Lemma 3.1 A sequence of triangular sets steadily lower in ordering is finite. More precisely, 
let Ai y A2 >~ ■ ■ ■ >- Am be a strictly decreasing sequence of triangular sets in M g . Then 
m < q n . 

Proof: Let P be a polynomial in M. q . If cls(P) = c and deg(P) = d, P and x d c have the same 
ordering. Since we only consider the ordering of the triangular sets, we may assume that the 
triangular sets consist of powers of variables. In this case, two distinct triangular sets can not 
have the same ordering. To form a triangular set of this kind, we can choose one polynomial 
Mi from {0, Xi, xf, . . . , xj~ X } for each i, and the triangular set is M\,Mi, . . . , M n . Note that 
when Mi = 0, we will remove it from the triangular set. Thus, there are q n — 1 nontrivial 
triangular sets consist of powers of variables. Adding the trivial triangular set consist of 
1, we have a sequence of triangular sets C\ >~ C2 >~ ■ ■ ■ >~ C q n. Let A\ >- A2 >-■■■>- A m 
be a strictly decreasing sequence of triangular sets. If Ai is nontrivial, for P G At, replace 
it by lvar(P)^ e S( p ). If Ai is trivial, replace it by 1. Then we get a strictly decreasing 
sequence of triangular sets B\ >- B2 >- ■ ■ ■ >- B m . This sequence must be a sub-sequence of 
Ci y C 2 y ■ ■ ■ y C q n. Hence, m <q n . □ 

For two polynomials P and Q, we use prem(Q, P) to denote the pseudo-remainder of Q 
with respect to P. For a triangular set A defined in (9), the pseudo-remainder of Q wrt 
A is defined recursively as 



A: A 1 ,A 2 ,...,A r 



(9) 



prem(Q, A) = prem(prem(<5, A r ),A±, . . . , ^4 r _i) and prem(Q, 0) = Q. 



Let R = prem(Q, A). Then we have 




(10) 



where Ii = init(Aj) and Qi are some polynomials. The above formula is called the remainder 
formula. Let P be a set of polynomials and A a triangular set. We use prem(P, A) to denote 
the set of nonzero prem(P, A) for P 6 P. 
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A polynomial Q is reduced wrt P ^ if cls(P) = c > and deg(Q,x c ) < deg(P). A 
polynomial Q is reduced wrt a triangular set A if P is reduced wrt to all the polynomials 
in A. It is clear that the pseudo-remainder of any polynomial wrt A is reduced wrt A. 

The saturation ideal of a triangular set A is defined as follows 

sat(4) = {P e Rq\ JP € (A)} 
where J is a product of certain powers of the initials of the polynomials in A. We have 
Lemma 3.2 Let A = Ai, ... ,A r be a triangular set. Then sat (.4) = (Ai, . . . , A r , I^ -1 — 1) 

Proof: Denote I = (A±, A r ,A ) and A = I^ 1 - 1. If P € sat (.4), then l q A l P G A. 
There exist polynomials Bi such that I^P = Yll=i Bi^i- Hence, P = Yll=i BiAi — PAq G 
I. Conversely, let Pel. Then there exist polynomials Q such that P = YH=i CiAi + 
CqAq. Multiply 1^4 to both sides of the equation. Since I^I^ -1 — 1) = 0, we have I^P = 
ELi UQAi. Thus, P G sat(4). □ 

As shown by the following example, saturation ideals have different properties comparing 
with that in the usual polynomial ring. 

Example 3.3 In R 3 , Let A = A 1 ,A 2 , A 1 = (x 1 - l)x 2 ,A 2 = (x 1 + l)x 3 . Then sat (4) = 
(Ai, A 2 ,(xf - l) 2 - 1) = (x 2 ,x 3 ,xi). 

3.2 Proper Triangular Sets 

As we mentioned before, a triangular set could have no zero. For example, Zero3(x 2 + l) = 
0. To avoid this problem, we introduce the concept of proper triangular sets. 

A triangular set A = Ai, A 2 , ■ ■ ■ , A r is called proper, if the following condition holds: if 
cls(-Aj) = Cj and deg(Ai) = di, then prem(x1~ di Ai, A) = 0. 

The following lemmas show that proper triangular sets always have solutions. 

Lemma 3.4 Let P(x) be a univariate polynomial in M q , and suppose that deg(P(x)) = d. 
If prem(x q ~ d P(x) , P(x)) = 0, then P(x) = has d distinct solutions in ¥ q . 

Proof: Since P(x) is a univariate polynomial, init(P) G ¥ q . If prem(x Q ~ d P(x), P(x)) = 
in M. q , we have x q ~ d P(x) = Q(x)P(x), where Q(x) is a polynomial and deg(Q(rc)) < q — d. 
Considering the above equation in F g [x], there is a polynomial C such that x q ~ d P(x)+C(x q — 
x) = Q{x)P(x) in ¥ q [x], where x q ~ d P(x) + C(x q — x) is equal to the canonical representation 
of x q ~ d P(x) in R q . Thus, we have (x q ~ d - Q(x))P(x) = -C{x q - x). Since all the elements 
of ¥ q are solutions of x q — x, the q distinct elements of ¥ q are solutions of {x q ~ d — Q(x))P(x). 
Note that deg(Q(x)) < q — d. Then deg(x q ~ d — Q(x)) = q — d. Thus, x q ~ d — Q(x) has at 
most q — d solutions in ¥ q , which means that P(x) has at least d distinct solutions in ¥ q . 
However, deg(P(x)) = d implies P(x) has at most d solutions in ¥ q . Hence, we can conclude 
P(x) has d distinct solutions in ¥ q . □ 
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A triangular set A is called monic if the initial of each polynomial in A is 1. A monic 
triangular set is of the following form: 

A l = x d \ + U 1 ,A 2 =x d c 2 + U 2 ,--- ,A r = x% + U r 

where Ui is a polynomial in x\, . . . , x Ci such that deg(£/j, x Ci ) < dj. 

For a triangular set A : A±, . . . , A r , we call deg(yli)deg(742) ■ ■ ■ deg( J 4 r ) the degree of A, 
denoted as deg(^4). Let Y be the set {xi G X| x,- L is the leading variable of some Aj € .4,}. 
We use U to denote X \ Y and call the variables in U parameters of A. Then we call |U| 
the dimension of A, denoted as dim(.A). 

The following result shows that a monic proper triangular set has nice properties by 
giving an explicit formula for the number of solutions. The result is useful because we will 
prove later that the zero set for any polynomial system can be decomposed as the union of 
the zero sets of monic proper triangular sets. 

Theorem 3.5 Let Abe a monic triangular set. Then A is proper if and only if \Leio q {A)\ = 
degOA)-^^). 

Proof: Assume that A is proper. For the parameters in U, we can substitute them by 
any element of ¥ q . Since |U| = dim(.A), there are gdim(yl) p arame tric values for U. For a 
parametric value Uq of U and a polynomial P G R g , let P' denote P{U$). After the sub- 
stitution, we obtain a new monic triangular set A' : A[, . . . , A' r , where cls(^) = cls(Ai) 
and deg(A' i ) = deg(Ai). Let q = cls(Aj) and di = deg(Ai). Since A is a proper trian- 
gular set, we have xt^ dl A\ = PA\. Then x1~ dl A[ = P[A' l . By Lemma 3.4, A[ has d\ 
distinct solutions. For a solution a of A\, consider A' 2 (a). Since A is proper, we have 
x q c ~ d2 A 2 = Q\Ai + Q 2 A 2 and hence x q c ~ d2 A' 2 (a) = Q'^A'^a) + Q 2 (a)A' 2 (a). Since 
A[(a) = 0, we have x% d2 A' 2 {a) = Q' 2 (a)A 2 (a). By Lemma 3.4, A' 2 (a) has d 2 distinct 
solutions. By repeating the process, we can prove that A' has d\d 2 ■ ■ ■ d r = deg(A) distinct 
solutions. Hence, |Zero g (^4)| = deg(.4) ■ gdim(^l) 

Conversely, let us assume that A has N = deg(*4) • grdim(yl) solutions. Since A is monic, it 
means that for any parametric value Uq of U and any point x in Zero q (Ai(Uo), . . . , Ai-i(Uo)), 
Ai(Uo,x) has deg(^4j) distinct solutions. Let Ai = x d c \ + Vi for any i. For Ai, suppose 
pTem(xl~ dl A\, A) = fii / 0. Then we have (xl~ dl — P\)Ai = R\, where Pi is a poly- 
nomial. Choose a parametric value Uq of U such that Ri(Uq) ^ 0. Then A\{Uq) has d\ 
distinct solutions, this contradicts to < deg(Ri(Uo),x Cl ) < d±. Thus, R± = 0. Now 
we consider A 2 . Suppose prem(x<tr d2 A 2 , A) = R 2 ^ 0. Then we have two polynomials 
Qi and Q 2 such that x q 2 d2 A 2 = QiAi + Q 2 A 2 + R 2 . Choose a parametric value U\ of U 
such that R 2 {U\) / 0. Since deg(R 2 ,x Cl ) < d\, there is a solution x of A\(Ui) such that 
R 2 {Ui,x) / 0. Then we have {x% d2 - Qi{Ui,x))A 2 {Ui,x) = R 2 {U x ,x). A 2 (U 1 ,x) has d 2 
distinct solutions which contradicts to < deg(R 2 (Ui, x C2 )) < d 2 . Thus, R 2 = 0. Similarly, 
we have pTem(x1~ dt Ai, A) = 0. Hence, A is proper. □ 

As a consequence of Theorem 3.5, a monic proper triangular set is square-free. 
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The concept of regular chains is important because of it has several nice properties 
[1, 5, 43]. The usual definition of regular chains need to be modified as shown by the 
following example. This is due to the fact that M. q is a ring with zero divisors. 

Example 3.6 In M3, let A\ = x\Xi, A\ = (x\ — 1)23, and A = Ai,A 2 . According to the 
usual definition, A is a regular chain. A is also proper. But, Zero3(„4./I^) = Zero3(sat(.A)) = 
since I4 = x\(x\ — 1) = in R3. 

For two polynomials P,Q E R q , let resl(P, Q, x s ) be the resultant of P and Q wrt x s in 
M. q . Let A be a triangular set of form (9) such that Cj = ch(Ai). The resultant of P wrt A is 
defined recursively as: resl(P, A) = resl(resl(P, A r ,x Cr ), A\, . . . , A r _i) and resl(P, {}) = P. 

A chain is called regular if 

n 

[Jresl(/(^);Ai,...,A-i)^0. 

i=i 

Regular chains have the following property. 

Theorem 3.7 Let A be a regular and proper chain and U be the parameter set of A. Then, 
there exists a parametric value U$ o/U such that |Zero 9 (.A(£/o) /I^(C/o))| = |Zero 9 (.A(£/o))| = 
deg(.4). 

Proof: Let R4 = resl(/(Aj); A 1 , . . . , and P = Ud =1 Ri- Since R ^ and P is a 

polynomial in M 9 [U], by Lemma 2.5, we can choose a parametric value Uq of U such that 
R(U ) / 0. Then, we have Ri(U ) / 0. R^Uq) / means that Ii(U ) / 0. Similar 
to the proof of Theorem 3.5. we can show that Ai(Uq) has deg(Ai) distinct solutions. 
R2(Uq) ytz implies that Zero q (l2(Uo), Ai(Uq)) = 0. Thus, for a solution x± t i of Ai(Uq) = 
0, ^2(^0)^1,1) 7^ and ^2(^0)^1,1) has deg(y4.2) distinct solutions. Recursively, we have 
|Zero,(^(?7o)/I^(l7o))| = \Leco q {A{U ))\ = &eg{A). □ 

4. An Efficient Zero Decomposition Algorithm in M. q 

In this section, we will give an improved algorithm which can be used to decompose the 
zero set of a polynomial system into the union of zero sets of monic triangular sets. Due to 
the special property of M q , this algorithm has better properties and lower complexities than 
the general zero decomposition algorithm and the output is stronger. 

First, note that the following zero decomposition theorem [10, 24, 28, 30, 40, 41] is still 
valid and the proof is also quite similar. 

Theorem 4.1 There is an algorithm which permits to determine for a given polynomial set 
P in a finite number of steps regular and proper triangular sets Aj,j = 1, . . . , s such that 

Zero 9 (P) = U s j=1 Zem q {Aj/I Aj ) = U J s =1 Zero g (sat(^l i )) 
where sat(Aj) is the saturation ideal of Aj. 
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In R 9 , we can give the following improved zero decomposition theorem which allows us 
to compute the number of solutions for a finite set of polynomials. 

Theorem 4.2 For a finite polynomial set F, we can compute monic proper triangular sets 
Aj,j = l,...,s such that 

ZerOg(P) = Uf =1 ZerOq(A) 
such that ZerOq(*4j) n Zevo q (Aj) = for i j. As a consequence, we have 

s 

|Zero g (P)| = ^deg(A) ■ g dim(A) . 
i=i 

4.1 A Top-Down Characteristic Set Algorithm 

In this section, we will give a top-down characteristic set algorithm TDCS that 
allows us to compute a decomposition which has the properties mentioned in Theorem 4.2. 

Before giving the zero decomposition algorithm, we first give an algorithm to compute a 
triangular set. The algorithm works from the polynomials with the largest class and hence 
is a top-down zero decomposition algorithm. The idea of top-down elimination is explored 
in [26, 40]. The key idea of the algorithm is as follows. Let Q = lx d c + U be a polynomial 
with largest class and smallest degree in x c in a polynomial set Q. If I = 1, we can reduce 
the degrees of the polynomials in Q by taking R = prem(Q, Q). Since I = 1, we have 

Zer 0(? (Q) = Zero 9 (RU{Q}). 

If 7 / 1, by (7), we split the zero set into two parts: 

Zero g (Q) = Zer 0(? (Q U {I"' 1 - 1}) U Zevo q (Q \ {Q} U {/, 17}). (11) 

In the first part, since 7^0 and 7 9_1 — 1 = 0, Q can be replaced by Q\ = x d + I q ~ 2 U and 
we can treat this part as in the first case. The second part is simpler than Q and can be 
treated recursively. The following well-ordering procedure is based on the above idea. 

Algorithm 4.3 — TDTriSet(P) 
Input: A finite set of polynomials F. 

Output: A monic triangular set A and a set of polynomial systems F* such that Zero 5 (P) = 
Zeio q {A) UQ e p. Zer 0(? (Q), Zero g (^) n Zero g (Qi) = 0, and Zero g (Qi) n Zero g (Q 2 ) = for all 
Qi,Q 2 GP*. 

1 Set A = and F* = 0. 

2 While F ^ do 

2.1 If some nonzero element a of¥ q is in F, Zero q (F) = 0. Return A = and F* . 

2.2 Let Pi C P be the polynomials with the highest class. 

2.3 Let Q G Pi be a polynomial with lowest degree. 

2.4 Let Q = Ix d c + U such that cls(Q) = c, deg(Q) = d and init(Q) = 7. 

2.5 7/7 = 1 do 

2.5.1 Set R = prem(Pi,Q). 
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2.5.2 If the classes of polynomials in R are lower than c 
( this situation will always happen when q = 2), do 

A = AU{Q}. 
P = RU{P\Pi}. 

2.5.3 Else, do 

P = R U {Q} U {P \ Pi} and goto 2.1. 
2.6 Else do 

2.6.1 Set Q l = x d c + I q ~ 2 U and P 2 = Pi \ {Q}. 

2.6.2 P = prem(P 2 , Q x ) U {i^ 1 - 1} U {P \ Pi}. 

2.6.3 Pi = {P \ {Q}} UAll{I, U}. 

2.6.4 P* = P* U {Pi}. 

2.6.5 Set R = prem(P 2 , Qi). 

2.6.6 If the classes of polynomials in R are lower than c, do 

A = AU {Qi}. 

2.6.7 Else, set P = PU{Qi} and goto 2.1. 
3 Return A and P* . 

The following theorem shows that to compute a monic triangular set in M. q , we need only 
a polynomial number of polynomial arithmetic operations. 

Theorem 4.4 Algorithm TDTriSet is correct and in the whole algorithm we need 0(n 2 q 2 + 
nlq) polynomial multiplications where I = |P|. In particular, we need 0(nl) polynomial 
multiplications when q = 2. 

Proof: Let Pi C P be the set of polynomials with the highest class c and Q € Pi a polynomial 
with lowest degree in x c . Let c = cls(Q), d = deg(Q) and / = init(<5). If I = 1, then for P € 
Pi, as a consequence of remainder formula (10), Zero q ({Q,P}) = Zero q ({Q, prem(P, Q)}). 
Therefore, we have 



where Qi = x c + I q ~ 2 U. The first part of (13) can be treated similarly to the case of / = 1, 
and the second part of (13) will be a polynomial set in the output. This proves that if we 
have the output it must be correct. 

Now let us prove the termination of the algorithm. After each iteration of the loop, the 
lowest degree of the polynomials with highest class in P will decrease. Then the highest class 
of the polynomials in P will be reduced and the polynomial Q will be added to A. Hence, 
the loop will end and give a triangular set A and some polynomial sets P*. 

Finally, we will analyze the complexity of the algorithm. Let I = |P|. After each iteration, 
the lowest degree of the highest class of the polynomials in P will be reduced at least by one. 



Zero g (P) = Zero 5 ((P \ Pi) U {Q} U {prem(P, Q) ^ | P £ PJ). 



If I 7^ 1, by (7), we can split Zero q (P) as the following two parts: 

ZerOq(P) = Zero g (P U {I^ 1 - 1}) U Zero 9 (P U {/}) 

= Zero 9 ((P \ {Q}) U {Qi} U {I^ 1 - 1}) U Zer 0(? (i 
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Then, this loop will execute at most n(q — 1) times. After each iteration, if / = 1, then the 
new P has at most I polynomials. If I ^ 1, after this iteration there are two cases: 

(a) Except Q we still have some polynomials with this class. Then, the new P contains at 
most I + 1 polynomials; 

(b) The highest class is eliminated by Q. Then, the new P contains at most I polynomials. 

Therefore, in the whole algorithm there are at most n(q — 2) + I polynomials (The number 
is I when q = 2) . 

In an iteration, suppose we use Q = Ix^ + U to eliminate other polynomials. First we 
should set Q to be monic. It means that we should compute Q\ = x^+I q ~ 2 U and I q ~ l — 1, so 
we need 2{q — 2) polynomial multiplications. Thus, in the whole algorithm we need at most 
2n(q— l)(q— 2) polynomial multiplications in order to obtain the monic polynomials. Then we 
want to get prem(P, Q\). Since Q\ is monic, it takes at most one polynomial multiplication 
when we reduce the degree of P by one. Let D be the sum of the degrees of polynomials with 
highest class. Then D decreases by one after one polynomial multiplication. Therefore, we 
need at most (n(q — 2)+l)(q — 1) — 1 multiplications to reduce D from (n(q — 2) + l)(q — l) to 1. 
At the same time, we eliminate the highest class. Thus, in the whole algorithm, we need at 
most n 2 {q — 2){q — l) + nl{q — l) — n polynomial multiplications to get the pseudo-remainders. 
In all, the algorithm needs 0(n 2 q 2 + nlq) polynomial multiplications, and when q = 2 the 
number is 0{nl). □ 

Lemma 4.5 Let P be an input q/TDTriSet. Assume that there is a polynomial P in P 
such that cls(P) = c and init(P) = 1. Let A be the monic triangular set in the output. Then, 
there is a polynomial P' G A such that cls(P') = c and deg(P') < deg(P). 

Proof: Since there is a P with class c, we need to deal with this class. And we will eliminate 
this class by P or by a Q with class c and lower degree. This polynomial is the P' . □ 

By using TDTriSet, we have the following zero decomposition algorithm. 

Algorithm 4.6 — TDCS(P) 
Input: A finite set P of polynomials. 

Output: Monic proper triangular sets satisfying the properties in Theorem 4-2. 

1 Set P* = {P} ; A* = and C* = 0. 

2 While P* ^ do 

2.1 Take a polynomial set Q from P* and set P* = P* \ {Q}. 

2.2 Let A and Q* be the output of TDTriSet with input Q. 

2.3 if A + %, set A* = A* U {A}. 
24 P* = P* u Q* 

3 Suppose A* = {Ai, . . . ,A r } and Ai = {An, . . . , Aj Pi }. 

4 Set P* = {} and for i from 1 to r do 

4.1 SetB = ®. 

4-2 For j from 1 to pi do 
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4-2.1 Let cis(Aij) = Cij and deg(-Ay) = dij. 

4.2.2 If R = prem(x q c ~ dl3 Aij , Ai) / 0, set B = BU{R}. 
4.3 + set P* = P* U {Ai U B}. 
44 Else, set C* = C* U {Ai} 

5 Iff* / 0, set A* = and goto 2. 

6 Return C* 

Theorem 4.7 Algorithm TDCS is correct. 

Proof: By Theorem 4.4, if the loop in step 2 ends, we can obtain Ai,...,A q such that 
Zero(P) = UjZero(v4i). In step 4, we check whether Ai is a proper triangular set. If it is 
proper, we save it in the output list C*. If A4 is not proper, suppose Ai = An, . . . ,A ip .. 
we add prem^c^" Aij, Ai) ^ to Ai, and obtain a new polynomials set Bi. We have 

Zero g (A) = 1eio q {Ai,x q c~ di: ' A^) = Zero g (A, prem(xc^ A?, A))- Thus, Zero (? (A) = 
Zero g (i3j). Then we treated recursively by step 2. Hence, if {^,...,^} is the out- 
put of the algorithm, we have Zero ? (P) = UiZeTo q (A' i ) . 

Now we prove the termination of the algorithm. Firstly, we prove the termination of step 
2. For a polynomial set P, we assign an index (c, c„ ig _i, c„ i<? _2, . . . , c„ 5 i, . . . , C\^ q -\, . . . , c± t i) 
where Cij is the number of polynomials in P and with class i and degree j and for i > c, P 
contains at most one polynomial with class i and this polynomial is monic. Note that, in 
the TDCS algorithm, we need only to do eliminations on polynomials in P with class smaller 
than or equal to c. To prove the termination of step 2, we will show that each polynomial 
set in Q* has a smaller index than that of Q in the lexicographical ordering. To prove this, 
we need only to show that in each step of Algorithm TDTriSet, the updated polynomial set 
has a lower index than that of the original one. In Algorithm TDTriSet, the polynomial set 
P is updated in three ways. Firstly, a polynomial P is replaced by prem(P, Q) where Q is a 
monic polynomial. This will decrease of leading degree of P and hence decrease the index of 
the polynomial set. Secondly, in step 2.6.2, the polynomial Q is replaced by Q\ and a new 
polynomial I q ~ x — 1 is added to the polynomial. If prem(P2, Q\) ^ 0, the index of P deceases 
since the degrees of certain polynomials with class c are decreased. If prem(P2, Qi) = 0, the 
index of P also deceases because Q± is now the only polynomial with class c in P and the first 
component in the index is deceased at least by one. Thirdly, in step 2.6.3, the polynomial Q 
is replaced by {/, U}. It is clear that the index of {I, U} is less than the index of {Q}. It is 
easy to show that a strictly decreasing sequence of indexes must be finite. This proves the 
termination of the step 2. 

Suppose we obtain A* = A±, . . . , A q after step 2. If all Ai are proper, the algorithm 
will terminate. If Ai = An, . . . , Ai Pi is not proper, similar as above, we obtain a polynomial 
set Bi such that there exist polynomials in Bi, which are reduced wrt Ai- To prove the 
termination of the whole algorithm, it is sufficient to show that the new monic triangular 
sets we obtain from Bi in step 2 is of lower ordering than that of Ai- Note that Bi \ Ai is 
the set of polynomials in Bi which are reduced wrt Ai- 

Now let Qi be the set of polynomials with highest class in Bi \ Ai and Q be the one of 
lowest degree in Qi. Let Q = Ixf + U. Then in TDTriSet, we splits Zero g (£>j) into two 
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parts: 

Zero,(Bi) = Zero g ({^ \ {Q}} U {xf + I 9 " 2 ^} U {I q ^ 1 - 1}) U Zevo q ({B t \ {Q}} U {/, 17}). 

Note that Ai C i3j and if there is a polynomial A' in _4,j with class c then deg(A') > 
deg{x d c + I q ~ 2 U). Thus, by Lemma 4.5, we can conclude that the monic triangular sets 
we obtain from {Bi \ {Q}} U {x d + I q ~ 2 U} U {I^ 1 — 1} is of lower ordering than A\. For 
{Bi \ {Q}} U {/, U}, it can be recursively treated as Bi. Hence, we prove the termination of 
the algorithm. □ 

We use the following simple example to illustrate how the algorithm works. 

Example 4.8 In R 3 , let P = {xix 2 x% - 1}. 

In Algorithm TDTriSet, we have Zero3(P) = Zen^x 2 — xiX2,x 2 X2 — l)UZero3(xiX2, 1). 
Obviously, Zero3(xiX2, 1) = 0. Then, Zeros(P) = Zeros(x| — xiX2,x 2 x 2 — 1) = Zero3(x| — 
xiX2,X2 — l,xf — 1) U Zero 3 (xf, 1). The algorithm returns A = {x\ — l,x| — ljX 2 — X1X2} 
and 0. 

In Algorithm TDCS, we check whether A is proper: prem(x3(x| — xiX2),.A) = (1 — 
^1^2)^3; prem(x2(x2 — 1), A) = prem(xi(x 2 — 1), A) = 0. We obtain a new P' = {A, (X1X2 — 
l)x 3 } such that Zero 3 (P) = Zero 3 (P'). 

Execute Algorithm TDTriSet with input P'. Choose {x\X2 — l)x3 to eliminate X3. Then 
Zero3(P') = Zero3(x3,X3 — xiX2,X2 — l,xiX2 + l,xf — 1) U Zero3(x3 — xiX2,xiX2 — \,x\ — 
l,x 2 — 1). For the first part, we have Zero 3 (x 3 ,x| — xiX2,X2 — l,x\X2 + l,xf — 1) = 
Zero3(x3, X1X2, x\ — l,xiX2 + l,xf — 1) = 0. For the second part, we execute Algorithm 
TDTriSet again and have Zeros(x| — X1X2, X1X2 — 1, x\ — 1, x\ — 1) = Zero3(x| — X1X2, X2 — 
x\,x\ — 1, x\ — 1) U Zero 3 (x| — X1X2, x\ — 1, x\ — 1, x±, 1) = Zero 3 (x| — X1X2, X2 — xi, x\ — 1). 
Let A' = {x| — xiX2,X2 - xi,xf - 1}. Thus, Zero3(P) = Zero3(^l / ). 

Returning to Algorithm TDCS, it is easy to check that A' is proper. Then we have 
Zero 3 (P) = Zero 3 (x| - l,x 2 -xi,xf - 1), and |Zero 3 (P)| = 3°(2 x 1 x 2) = 4. 

4.2 Complexity Analysis of TDCS in R 2 

As we mentioned in Section 1, a complexity analysis for the zero decomposition algorithm 
is never given. Although, TDCS is much simpler than the zero decomposition algorithm 
over the field of complex numbers, it is still too difficult to give a complexity analysis. 
However, we are able to give a worst case complexity analysis for algorithm TDCS in the 
very important case of M2 • 

In M.2, it is easy to prove that a monic triangular set is always proper. Therefore, we do 
not need to check whether a triangular set is proper in Algorithm TDCS. Moreover, by (4), 
we can modify the Step 2.6.3 of TDTriSet as 

Pi = {F\{Q}}UAU{U,I} = {P\{Q}}U^U {IU + I + U}, 

and call the new algorithm TDTriSet2. After this modification, the number of polynomials 
in the new component Pi will not be bigger than |P|. From the proof of Theorem 4.4, we 
know that in the whole algorithm TDTriSet2 with input P the number of polynomials is 
also at most |P|. Then we obtain the following algorithm: 
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Algorithm 4.9 — TDCS 2 (P) 

Input: A finite set of Boolean polynomials P. 

Output: A sequence of monic triangular sets satisfying Theorem 4-2. 

1 Set P* = {¥}, A* = and C* = 0. 

2 While P* ^ do 

2.1 Choose a polynomial set Q from P*. 

2.2 Let Q be the input o/TDTriSet 2 . Let A and Q* be the output. 

2.3 %fA + %, set A* = A* U {A}. 

24 P* = P* U Q* 

3 Return A* 

Theorem 4.10 The bitsize complexity of Algorithm TDCS 2 is 0(l n ) = 0(2 nlogi ), where I 
is the number of polynomials in P. 

Remark. It is interesting to note that the complexity for the exhaust search algorithm is 
0(||P|| -2"), where ||P|| is the bitsize of the polynomials in P as defined in Section 5.2. The 
complexity of the exhaust search is generally better than our algorithm. But on the other 
hand, our algorithm can solve nontrivial problems with n > 128 as shown in Section 6.2 
and Section 6.3, while it is clear that the exhaust search algorithm cannot do that. The 
complexity to compute a Grobner basis of PUH (H is defined in (1)) is known to be a 
polynomial in d n where d is the degree of the polynomials in P [27]. Recently, Bardet, 
Faugere, Salvy gave better complexity bounds under the assumption of semi-regularity [2]. 
It is an interesting problem that whether there exists a deterministic algorithm to find all 
the solutions of a Boolean polynomial system with complexity less than 0(2 n ). 

We will prove Theorem 4.10 in the rest of this section. In order to estimate the complexity 
of algorithm TDCS 2 , we need to consider the worst case in the algorithm. We call the zero 
decomposition process in the worst case W-Decomposition. 

In the worst case, we consider a set P containing I Boolean polynomials which are with 
the highest class n and the initials of all these I polynomials are not 1. Then we need to 
choose one polynomial Q = Ix n + U G P and add 7 + 1 to P. Let Qi = x n + U. Then we 
have: 

Zero 9 (P) = Zero 9 (prem(P \ {Q}, Qi), U{Qi, 7 + 1})) U Zero g (P \ {Q} U {7*7 + 7 + U}) (14) 

In the worst case, we assume that the class of 7 + 1 is n — 1 and prem(P \ {Q}, Qi) contains 
/ — 1 non-zero polynomials with class n — 1. Moreover, in the second component in (14), 
we have a new polynomial 7*7 + 7 + U which is also of class n — 1. When we repeat the 
above procedure for the two components in (14), the above situations always happen. In 
other words, in the worst case,when we eliminate a variable x c , the newly generated non-zero 
polynomials are always of class c — 1. 

We can illustrate the W-decomposition by the following figure: 
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(l,k,. ..,...)=> (i-l,fc + l,...)=> 

(0,/ + k,...) => ■■■ 
(0,1 + k,...) => ■■■ | 

In this figure and the rest of this section, (l n ,l n -±, • • • represents a polynomial set 
which contains Zj polynomials with class i. The right arrows point to the second component 
in (14), while the down arrows point to the first component in (14) or more precisely, to 
prem(P\{Q},Qi)U{J + l}. 

To solve a polynomial set P with I elements, we will obtain a lot of components. We 
can sort these components into n groups by the variables involved in them. For any i = 
1,2,... ,n, the i-th group consists of the components where the variables to be eliminated 
are {xi,x 2 , ■ ■ ■ Suppose there are ki elements in the i-th group. We define the time- 

polynomial of P to be 

B(F) = k n T n + /c n _iT n _! + . . . + fcTi (15) 

where Tj is a quantity to measure the complexity for executing TDTriSet2 whose input 
is a polynomial set consisting of I polynomials in i variables {x±,x 2 , . . . ,Xi}. T; L could be 
the bitsize of the involving polynomials or the number of arithmetic operations needed in 
the algorithm. Obviously, B(¥) gives the corresponding worst case complexity when the 
meaning of Tj is fixed. 

For two polynomial sets Pi and P 2 , let B(F 1 ) = k n T n H h fciTi and B(F 2 ) = k' n T n + 

\-k[Ti. If ki > k\ for all i, we say that -B(Pi) is of higher ordering than B(F2), denoted 

by B{¥ 1 )> B{¥ 2 ). We define 

S(¥) = B(P) - T c 

where c is the highest class of the polynomials in P. Thus, S(F) is the complexity for solving 
all the components which are originated from the second component in (14). The order 
of S(F) can also be defined as B(F). Therefore, we can use equation (15) as the recursive 
formula to compute the worst case complexity of the algorithm. 

The following result shows that the problems solved with w-decomposition is indeed the 
worst case in terms of complexity. 

Lemma 4.11 Let Q be a polynomial set of the form (1,0, ... ,0), which need to be solved 
with w-decomposition. Let B(F) be the time-polynomial of any other problem with \F\ < I. 
We have B(Q) > B(F) and S(Q) > S(F). 

Proof: We prove the lemma by induction. If n = 1, no components are generated, so we 
have B(F) = T\ and S(F) = for any problem, and the lemma holds for n = 1. Now suppose 
we have proved the lemma for n = k. If n = k + 1, we have the following figure for the 
w-decomposition of problem (/, 0, . . . , 0): 



(Z-2,fc + 2,...) => 
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(Z,0,...,0)=}> (1-1,1,. ..,0)=}- ••• (1,1- 1,0,... ,0) (0,1,0,... ,0) 

(0,Z,0,...,0) (0,1,0,... ,0) ••• (0,1,0,... ,0) 

We can get the following recursive formula for the time-polynomial of (1,0, ... ,0): 

B(l, 0, . . .) = lT n + B(0, 1,0,...) + IS(0, l,0,...,0) (16) 
where (0, 1, 0, . . .) represents a w-decomposition problem with I input polynomials in variable 

{Xl ) • • • ) 1 } 

For any other polynomial set P with no more than I input polynomials, we can write it 
as (l n , l n -i, . . . , h). If l n = the lemma can be proved easily from equation (16). Now we 
assume l n > 0. For the l n polynomials with class n, if there is a polynomial with initial 1, 
we will not generate any component when we eliminate class n, then B(F) = T n + 5(P'). 
Note that |P'| < I and the elements of P' are all have n — 1 variables {x\, . . . , x n _i}. Thus 
B(l, 0, . . .) > B(P) and S(l, 0, . . .) > S{¥) by the hypothesis. 

If there exist no polynomials with initial 1 in these l n polynomials, we have the the 
following decomposition figure: 

(ln,...)=> (l n -l,...)=> ••• =► (1,...)=> P 

Pi p 2 ••• p« n 

Thus, we have 

In 

B(¥) = l n T n + B(¥ ) + Y,S(P t ). 

i=l 

Note that Pj has at most n — 1 variables {x±, . . . , x n } and |Pj| < I, for any i = 0, 1, . . . , l n . By 
the hypothesis we have 5(Pi) < 5(0, Z, 0, . . . , 0) and B(P ) < B(0, 1,0,..., 0). Since I > l n 
we can conclude that B(l,0, . . .) > 5(P) and S(l,0, . . .) > S*(P). Consequently, the lemma 
holds in any case for n = k + 1. □ 

Proof of Theorem 4- 10. From equation (16), we can obtain the value of B(l,0, . . . ,0). 
Write B(0, ... ,0,1,0, ... ,0) as Bi and S(0, ... ,0,1,0, ... ,0) as Si, where I is in the i-th 
coordinate. Then we have B n = l(T n — T„_i) + (I + l)£>„_i. It is easy to check that for 
n > 3 we have 

5 n = lT n + / 2 T„_! + / 2 (Z + l)T n _ 2 + • • • + Z 2 (/ + 1)"~ 3 T 2 + (Z + l) n - 2 TL 

If the variables of input polynomials are {x±, . . . , Xk}, the number of monomials occuring in 
TDTriSet2 are at most 2 k , and therefore the bitsize complexity of multiplication is 2 • A k . 
By Theorem 4.4, we can substitute with (2 • A k )k(l — 1) for any k > 2 and T\ can be set 
to 0. We have B n w 2(4 3 Z n+1 - 4 n+1 Z 3 )/(Z - 4) 2 + 4 3 Z(Z n - 2nZ4™- 2 )/(/ - 4). Since I » 4, 
we have proved Theorem 4.10. 

5. A Multiplication Free Zero Decomposition Algorithm in R2 
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It is known that a major difficulty in computing a zero decomposition is the occurrence of 
large polynomials which are caused mainly by multiplication of polynomials. Due to this rea- 
son, even the procedure to compute one triangular set, called well-ordering procedure in [41], 
has exponential complexity for all known CS methods. In order to overcome this difficulty, 
we introduce a zero decomposition algorithm in M 2 , where only additions of polynomials are 
used. We show that the well-ordering procedure in our multiplication free algorithm has 
polynomial time complexity for input polynomials with fixed degree. 

5.1 The Algorithm 

The key idea of the algorithm is to avoid polynomial multiplications. Before doing the 
pseudo remainders, we reduce the initials of the polynomials in Pi in step 2.2 of the Algorithm 
TDTriSet to 1 by repeatedly using (11). For such polynomials, we have the following result. 

Lemma 5.1 Let P = x c + U\ and Q = x c + U2 be polynomials with class c and initial 1. 
Then, we have deg(prem(Q, P)) < max{deg(?7i), deg(t/ 2 )}. 

Proof: In that case, the pseudo-remainder needs additions only: prem(Q,P) = U\ + U<i- 
The lemma follows from this formula directly. □ 

Based on the above idea, Algorithm TDTriSet can be modified to the following multi- 
plication free (MF) well-ordering procedure to compute a triangular set. 

Algorithm 5.2 — MFTriSet(P) 
Inputs finite set of polynomials P. 

Output: A monic triangular set A and a set of polynomial systems P* such that Zero2(P) = 
Zero 2 (-4) U QeP » Zero 2 (Q), Zero 2 (-4) n Zero 2 (Qi) = 0, and Zero 2 (Qi) n Zero 2 (Q 2 ) = for all 

Qi,Q 2 eP*. 

1 Set P* = {}, A = 0. 

2 While P / do 

2.1 If leV, Zero 2 (P) = 0. Set A = and return A and P*. 

2.2 Let Pi C P be the polynomials with the highest class. 

2.3 Let P 2 = 0, Qi = P\Pi. 

2.4 While Pi / do 

Let P = Ix c + U G Pi, Pi = Pi \ {P}. 
Q 2 = Pi UQiUP 2 U {/,[/}. 
p* = p* U {Q 2 }. 

P 2 = P 2 U {x c + U}, Qi = Qi U {/ + 1}. 

2.5 Let Q = x c + U be a polynomial with lowest degree in P 2 . 

2.6 A = AU {Q}. 

2.7 F = Qi Uprem(P 2 ,Q). 

3 Return A and P*. 

In Step 2.4, we use formula (11) in R 2 , that is, for P = Ix c + U, 

Zero 2 (P) = Zero 2 ({x c + U, I + 1}) U Zero 2 ({/, 17}) 
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to split the polynomial set. 

With Algorithm MFTriSet, we can easily give a multiplication- free zero decomposi- 
tion algorithm: we just need to replace Algorithm TDTViSet2 by Algorithm MFTriSet in 
Algorithm TDCS 2 . We call this algorithm MFCS. 

Algorithm 5.3 MFCS(P) 
Input: A finite set of polynomials P. 

Output: Monic proper triangular sets satisfying the properties in Theorem 4-2. 

1 Set P* = {¥}, A* = and C* = 0. 

2 While P* ^ do 

2.1 Choose a polynomial set Q from P*. 

2.2 Let Q be the input of MFTriSet. Let A and Q* be the output. 

2.3 if A £ set A* = A* U {A}. 

2.4 P* = P* U Q* 

3 Return A* 

Remark. In the following, we will analyze the complexity of Algorithm MFTriSet. 
Basically, we will show that the size of the polynomials in bounded by the size of the input 
polynomials and the worst case complexity of this algorithm is roughly 0(n d ). The second 
result implies that for a fixed d, say d = 2, Algorithm MFTriSet is a polynomial time 
algorithm. Note that solving quadratic Boolean equations is NP complete. In Algorithm 
MFCS, the number branches could be exponential. We will discuss how to control the 
number of branches in Section 6. 

5.2 Bitsize Bounds of the Polynomials in MFTriSet 

In order to estimate the size of the polynomials, we introduce a bitsize measure for 
a polynomial in M.2- Let M = x^x^ ■ ■ ■ Xi k be a monomial. The length of M, denoted 
by ||M||, is defined to be k. Specially, the length of 1 is defined as 1. For a polynomial 
P = Mi + • • • + Mt where Mj are monomials, ||P|| = Yll=i W-^-iW i s called the length of P. 

We first note that since Algorithm MFCS is multiplication free, the degrees of the 
polynomials occurring in the algorithm will be bounded by d = maxp g p{deg(P)}. As a 
consequence, the size of the polynomials occurring in the algorithm will be bounded by 
0(n d ). Then, the size of the polynomials is effectively controlled if d is small. For all the 
examples in Section 6, we have d < 4 and n ranges from 40 to 128. For such examples, the 
polynomials have size 0(n 4 ), while the largest possible polynomial in n variables has size 
0(2 n ). 

In the following theorem, we will further show that the size of the polynomials in Algo- 
rithm MFTriSet are effectively controlled in all cases. 

Theorem 5.4 Let n be the number of variables andF the input of Algorithm MFTriSet. 
Then, for any polynomial T occurring in Algorithm MFTriSet, we have \\T\\ < X^pgp ll-f II- 
If |P| > n, then there exist n polynomials P±, ... ,P n in P such that \\T\\ < \\Pi\\ + H-P2H + 

■■■ + \\Pnl 
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This result is nontrivial, because repeated additions of polynomials can increase the size 
of the polynomials by an exponential factor. The proof of this result is quite complicated. 
Intuitively, we want to show that a polynomial P used in early steps of the algorithm will 
be "canceled" in later steps by addition of two polynomials both containing P, that is, 
(Pi + P) + (P 2 + P) = Pi + P 2 . 

In order to prove Theorem 5.4, we need to prove several lemmas first. Let k be an integer 
and P be a polynomial. Write P = Lx k + U as a univariate polynomial in x k . We define two 
operators lZ k and J k as follows: 

K k {P) = U, J k {P) = I + 1 if cls(P) = k. K k {P) = P, J k {P) = if cls(P) < k. (17) 

Then, we have the following lemma 

Lemma 5.5 Let P and Q be polynomials with cls(P) < k and cls(Q) < k. Then 

(1) n k (P + Q)=TZ k (P)+TZ k (Q); 

(2) 1l k {P + \)=K k {P) + \; 

(3) //cls(P) = cls(Q) = k then J k {P + Q) = J k {P) + J k {Q) + 1; otherwise J k (P + Q) = 
Jk{P) + Jk(Q). 

Proof: It is easy to check. □ 

Note that we can define the composition of 1Z and J naturally. Let S^ k = {OjOj+i ■ ■ - O k \ 
Oi = TZi or Ji, i = j,. . . , k}, where 1 < j < k < n. 

Lemma 5.6 Let P be a polynomial with cls(P) = k. Then J2L x eS k \\Lj,iP\\ < ||P|| f or 
any fixed j = 1, 2, . . . , k. 

Proof: For a polynomial Q = Lx c + U with / / 1, we have ||Q|| > ||/|| + \U\\ + 1. J C Q = 1+1 
&ndK c Q = U. Therefore, ||J C Q|| + \\TZ C Q\\ = \\I + 1|| + \\U\\ < \\I\\ + \\U\\ + 1 < \\Q\\. If/= 1, 
we have \\J C Q\\ + ||^ C Q|| = + \\U\\ < \\Q\\. For i > c, we have JiQ = and KiQ = Q. 
Then \\JiQ\\ + \\KiQ\\ = \\Q\\. Hence, in any case, we have \JiQ\\ + ||7^Q|| < ||Q||. 

For any j, we have E L]I es ]k \\ L j,i p \\ = ie s j+1 k + \\^j L j+i,i p \\) < 

E Lj+hi es j+1 , k \\L j+ i,iP\\ < ■'■■<\\J k P\\ + II^PII < l|P||.'n 

Proof of Theorem 5.4: For any k = l,...,n, we assume that in the k-th. round of 
MFTriSet we deal with the polynomials of class k. In algorithm MFTriSet, when we 
compute the pseudo-remainder of two polynomials P and Q in the k-th round, we set their 
initials to 1 at first, and then compute a new polynomial TZ k P + 1Z k Q. Thus, a polynomial 
p( fc ) in k-th. round can be obtained in three ways: 

(1) p( fc ) is an input polynomial; 

(2) P( fc ) = init(Q( fc+i ))+l for some of round k+i. P^ = TZ k+1 ■ ■ ■ Tl k+i ^iJ k+i Q^ +i \ 

(3) pw = n k+j (Q<? +1) +Q i t l) ) = n k+1 ■ ■ ■ n k+3 {Qf + ^+Qf +]) ) = n k+1 ■ ■ ■ n k+J Q^+ 

T^k+i ' ' ' T^k+jQ^ + ^\ where Q^± + ^ and Q^ + ^ are polynomials of round k + j. 



Characteristic Set Method in Finite Fields 



21 



In the cases 2 and 3, if i and j are bigger than 1, we still regard TZk+2 • • • T^k+i-iJk+iQ^ k+l \ 
• • • T^k+jQ^^ an d " " " T^-k+jQ^ + ^ as polynomials of round k + 1. In this way, we 

can represent P^ by operators and polynomials of round k+1. We call it the backtracking 
representation of P( k \ Now we can consider these polynomials of round k + 1 and get the 
backtracking representation of them. By Lemma 5.5, we can get a representation of P^ 
by composite operators and polynomials in round k + 2. Then, we can do the process 
recursively. In the process of computing the backtracking representation, when meet an 
input polynomial, we stop representing this polynomial by the ones of higher round. At last, 
we backtrack to the round n, and eliminate the terms composed of the same operators and 
polynomials. Note that the polynomials of round n are all from the input. Then we have 

r n r n -i r k+1 

^=e e ^ w +e e L jQ t i) +-+i: e 

i=l Lj£T n ,i i=l Lj£T n -i t i i=l Lj£Tk+i,i 

or 

r n r„_i r k+1 

p (k) = E E ^ (n) + E E ^!"" 1) + --- + E E + i w 

i=l Lj£T„ t i i=l LjCT n -i t i i=l Lj€Tk+i t i 

where T m ^ C >Sfe+i m is a set of composite operators and is an input polynomial with 

class m (m = k + 1, . . . , n, i = 1, . . . , r m ). The appearance of 1 is due to the equation (3) of 
Lemma 5.5. The number of different polynomials in the above equation, denoted by N, is 

rk+i + r k +2 H Vr n . 

Now we will give an upper bound for N. It is easy to see that, when we backtrack to the 
round k + 1, there exist at most two different polynomials. Suppose that now we backtrack 
to the round k + i, and there are t different polynomials in the representation. Then, t\ 
of them are the form of IZk+i+if, where / is a polynomial with cls(/) < k + i + 1; ti of 
them are the form of J7fc+i+i<7, where cls(^) = k + i + 1; ts of them are input polynomials. 
Thus, the others can be represented as 1Zk+i+ih + IZk+i+ihi, where h is a fixed polynomial 
with cls(/i) = k + i + 1 and hi is some polynomial with cls(/tj) = k + i + 1. Therefore, 
the number of different polynomials in the representation of round k + i + 1 is at most 
2(t — t\ — 12 — tz) — (t — t\ — t2 — £3 — 1) + h + 12 + ts = t + 1. Hence, when we backtrack to 
the round n, we have N < n — k + 1. 

For any m = k + 1, . . . , n, i = 1, . . . , r m , since T m ^ C <Sfc+i jm , by Lemma 5.6, we have 

^LjeT^i \\ L jQi m) \\ < J2L 3 eS k+Um ll L i < 3i m) H < ll ( 5i m) |l- 

(a) Suppose that p( fc ) is of form (18). We have \\P^\\ < Em=fc+i Ei=i IIQ^II where 
»"fc+i H +r n <n-/c+l<n. 

(b) Suppose the representation of P^ is equation (19). It is easy to see that there exists 
a term of the form TZk+i ■ ■ ■ TZk+i-i J k +iLQ^ k+ ^\ where Q( k+ ^ is an input polyno- 
mial with class k + j, L £ Sk+i+i :k +j 

and cls(LQ( fe+ ^) = k + i. If init(LQ( fe+ ^) = 
W + 1 where W is a polynomial without a constant term, we have <Jk+iLQ( k+ ^ = 
W. Therefore \\Jk+iLQ {k+j) \\ + \\K k+i LQ( k+ ri || < \\LQ^ k+ ^\\. Hence, ||P( fc )|| < 
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EJU+iSi IIQHl+l which means ||pW|| < ELhiEL™ IIQPII- If init(LQ(^)) 
= W where W is a polynomial without a constant term, we have J k+ iLQ^ k+ ^ = W+l. 
Thus, P( fc ) = 7l fe+1 • • • n k+t ^J k+t LQ( k +^ + 1 + E = n k+1 ■ ■ ■ Kk+i^W + E where 
E is the sum of other terms in equation (19). Obviously, ||7£fc+i • • • 7£fc+i-iW|| < 
\\K k+1 ---K k+i - 1 {W + l)\\ = \\K k+1 ---K k+i - 1 J k+i LQ( k +ri\\. Then ||P|| < \\TZ k+l ■ ■ ■ 

k^j^lq^w + \\ E \\ < z n m=k+ iz:=i \\Q\ m) i 

In summary, we always have ||P^|| < J2m=k+i Yll=i WQi^W where r k+ i + • • • + r n < n — 
k + 1 < n. □ 

The following result shows that even the size of the monomials occurring in the algorithms 
is nicely bounded. 

Corollary 5.7 Let M be the set of distinct monomials which are contained in some polyno- 
mial occurring in Algorithm MFTriSet and H = YlmeM \\ m \\- Then, H < J^p G p cls(P)||P|| + 
1 where P is the input of the algorithm. 

Proof: From the proof of Theorem 5.4, a polynomial P occurring in the Algorithm MFTriSet 
must have form (18) or (19). Then, a monomials m of P must be either 1 or contained 
in some LQ^ k \ where Q^> is an input polynomial with class k and L G S k _i tk . Thus, 
H is not bigger than the sum of the length of all such LQ and 1. From Lemma 5.6, 
T,L^ k \\U 2 Q^\\ + ■■■ + T. Llk eS k , k \\U k Q^ k) \\ + ||Q (fe) || < k\\Q( k) \\. Considering all in- 
put polynomials P and 1, we get the corollary. □ 

5.3 Complexity Analysis of MFTriSet 

For a polynomial set P, we define tdeg(P) to be the highest total degree of the elements 
in P. In this section, we will always consider a Boolean polynomial set P with I polynomials 
and tdeg(P) = d. 

Theorem 5.8 For an input polynomial set P with |P| = / and tdeg(P) = d, the bitsize 
complexity of MFTriSet is 0(ln d+1 ^ PGP term(P)). If I > n, the bitsize complexity of 
MFTriSet is 0(ln d+2 M) where M = maxp e pterm(P). 

As a consequence, Algorithm MFTriSet is a polynomial-time algorithm for a small d. 
For all the examples in Section 6, we have d < 4 and n ranges from 40 to 128. For such 
examples, the complexity is 0(n 8 M) since I is roughly 0{n 2 ). 

We will prove Theorem 5.8 in the rest of this section. As in Section 5.2, we assume that in 
the fc-th round of MFTriSet started as step 2, we deal with the polynomials of class k, which 
is the worst case. Suppose that we have l k polynomials with class k in the k-th round. Since 
the complexity of computing / + 1 is smaller than that of doing the polynomial additions, 
we only consider the addition of two polynomials. Then we need to do l k — 1 polynomial 
additions in order to eliminate x k . Thus, if we can estimate the number of the polynomials 
in P in every round, then we can obtain the complexity bound of MFTriSet. Note that, in 
Step 2.5 of MFTriSet, we choose a Q with the lowest degree, which is important for the 
complexity analysis. 
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Suppose that we have a polynomial set S = {Pi, . . . , P/} with class n, which is the worst 
case. After eliminating x n , we obtain two sets of polynomials: 

Sj = {J n P\P e §},§ R = {K n (P s + P)\P e S} 

where P s is a fixed polynomial with lowest degree in S and {J7^,7£ n } are the operators defined 
in (17). Note that tdeg(Sj) < d - 1 and tdeg(S R ) < d. Moreover, |Sj| < I and \§ R \ < I. 
After eliminating x n _i, we have four polynomial sets: 

§JJ = {Jn-lP\P G = {Jn-lP\P G S R }, 

Srj = {Kn-iiP. + P)\Pe Sj},§ RR = {TZ n ^(P s + P)\Pe S R }. 

Similarly, |S_rj| < < / and |§j_r|, \$rr\ < < /. Since P s is a polynomial with 

the lowest degree, we have tdeg(7£ n _i(P s + P)) < tdeg(P) which means that tdeg(S_Rfi) < 
tdeg(S^) and tdeg(§Rj) < tdeg(Sj). For the other two sets, we can conclude tdeg(S jj) < 
tdeg(S j) - 1 < d - 2 and tdeg(S JR ) < tdeg(S R ) - 1 < d - 1. 

Recursively, we have the following sequence 

(S) (Sj, S fl ) -> (Sjj, Sjr, Sflfi, Srj) ■ ■ ■ (20) 

For a set S01O2— O fc where Oj is J or P, we have IS01O2— o fe | ^ We can deduce that 
tdeg(§Oi0 2 ---o fe ) < d — s where s is the number of Oj which is J. Therefore, the number 
of J occurring in the subscript of S can be d — 1 at most. As a consequence, in round 
n — k corresponding to the (k + l)-th part of the sequence (20), the number of Sj is at most 

(o) + (i)H 1- Crf— 1 ) - Thus, the number of polynomials in round n — k is at most i(X)i=o(i))- 

It implies that we need at most l(Ylk=o ^2i=o (?)) = ^(Sf=i(D) polynomial additions in the 
algorithm. It is easy to prove that in other simpler cases, the times of additions are still 
bounded by i(E?=i(?)) or 0{ln d ). 

Now let us estimate the complexity of polynomial additions in MFTriSet. We can 
define an operator 2^ as follows: If cls(P) = k, Tk{P) = init(P); if cls(P) < k, Zfc(P) = 0. 
It is easy to prove that if we substitute Ji with Xj in equation (18) and equation (19) of 
Section 5.2, any of the two equations will either be unchanged or become itself plus one. 
Now we use term(P) to denote the number of monomials occurring in P. Then we have 
term(IP) + term(7£P) < term(P). Similar to the proof of Theorem 5.4, we can prove the 
following lemma 

Lemma 5.9 Let n be the number of variables and P the input of Algorithm MFTriSet. 
Then, for any polynomial T occurring in MFTriSet, we have term(T) < ^p eP term(P) + l. 
// |P| > n, then there exist n polynomials Pi, ... ,P n in F such that term(T) < term(Pi) + 
term(P 2 ) H h term(P„) + 1. 

Note that the bitsize complexity of computing the sum of Pi and P2 is 0(n(term(Pi) + 
term(P 2 ))). Then the complexity of Algorithm MFTriSet is 0(ln d+1 (Y, P& term(P))). We 
have proved Theorem 5.8. 
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6. Experimental Results 

We have implemented algorithms TDCS and MFCS in IR2 with the C language and 
tested them with a large number of polynomial systems. In order to save storage space, we 
use the SZDD to store the polynomials in our implementation [33] . 

For comparison, we also use the Grobner basis algorithm (F4) in Magma with Degree 
Reverse Lexicographic order, denoted by GB, to solve these polynomial systems. The exper- 
iments are done on a PC with a 3.19GHz CPU, 2G memory, and a Linux OS. The running 
times in the tables are all given in seconds. 

6.1 Boolean Matrix Multiplication Problem 

For two n x n Boolean matrices A and B, if AB = I, by the linear algebra we can 
deduce that BA = I, where / is the n x n identity matrix. However, if we want to check 
the conclusion by reasoning, it will become an extremely difficult problem. This challenge 
problem was proposed by Stephen Cook in his invited talk at SAT 2004 [11, 12]. The best 
known result was that the problem of n = 5 can be solved by SAT-solvers in about 800-2000 
seconds. The problem of n = 6 were still unsolved [3]. 

Now we test our software for this problem by converting the problem into the solving of 
a Boolean polynomial system. By setting the entries of A and B to be 2n 2 distinct variables, 
we can obtain n 2 quadratic polynomials from AB = I. Then we compute the Grobner basis 
or the zero decomposition of this polynomials, and check wether the polynomials generated 
by BA = I can be reduced to by the Grobner basis or by every characteristic set in the 
zero decomposition. In this way, we can prove the conclusion. 

We use the CS method to illustrate the above procedure. Let Pi and P2 be the polynomial 
sets generated by AB = I and BA = I respectively. With the CS method, we have 

Zero 9 (Pi) = UjZerOq(A) 

where Ai are triangular sets. If prem(P, Ai) = for all possible i and P G P2, then we have 
solved the problem. It is clear that the major difficulty here is to compute the decomposition. 

For n = 4, 5, 6, the numbers of variables are 32, 50, 72 respectively. Therefore, computing 
the Grobner basis or the zero decomposition of this polynomials will be a hard work. We 
used GB and our MFCS algorithm to solve the problem with n = 4,5, 6. The running 
time given in Table 1 includes solving the equations generated by AB = I and checking the 
conclusion BA = I. Notation • means memory overflow. 





n=4 


n=5 


n=6 


MFCS 


0.11 


41 


196440 


GB 


2363 


• 


• 



Table 1. Running times for Boolean matrix multiplication problems 

6.2 Equations from Stream Ciphers Based on Nonlinear Filter Generators 

In this section we generate our equations from stream ciphers based on LFSRs. We first 
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show how these polynomial systems are generated. A linear feedback shift register (LFSR) 
of length L can be simply considered as a sequence of L numbers (ci, C2, . . . , cl) from F 2 
such that ^ ^ [31]. For an initial state So = (so,s±, . . . ,sl-i) € F^, we can use the 
given LFSR to produce an infinite sequence satisfying 

Si = ciSi-i + c 2 Si- 2 H h c L Sj_L, i = L, L + 1, • • • . (21) 

A key property of an LFSR is that if the related feedback polynomial P(x) = clx l + 
cl-\x l _1 + • • • + c\x — 1 is primitive, then the sequence (21) has period 2 L — 1 [31]. The 
number of non-zero coefficients in P is called the weight of P, denoted by wp. 

An often used technique in stream ciphers to enhance the security of an LFSR is to 
add a nonlinear filter to the LFSR. Let f(x±, . . . ,x m ) be a Boolean polynomial with m 
variables. We assume that m < L. Then we can use / and the sequence (21) to generate a 
new sequence as follows 

zt = f{s t+kl ,s t+k , 2 . . . ,s t+ k m ),t = 0,1,... (22) 

where {ki}\<i< m is called the tapping sequence. A combination of an LFSR and a non- 
linear polynomial / is called a nonlinear filter generator (NFG). 

The filter functions used in this paper are due to Canteaut and Filiol [7]: 

• CanFil 1, X1X2X3 + x\X4 + X2X5 + x 3 

• CanFil 2, X1X2X3 + X1X2X4 + x\X2X§ + x\x^ + X2X§ + 23 + X4 + x§ 

• CanFil 3, X2X3X4X5 + X1X2X3 + X2X4 + x 3 x 5 + x 4 + x$ 

• CanFil 4, X1X2X3 + x\X4X§ + X2X3 + x\ 

• CanFil 5, x 2 xzX4X^ + x 2 x 3 + x\ 

• CanFil 6, X1X2X3X5 + X2X3 + X4 

• CanFil 7, xix 2 x 3 + x 2 x 3 X4 + x 2 x 3 x 5 + x\ + x 2 + x 3 

• CanFil 8, xix 2 x 3 + x 2 x 3 x 6 + xix 2 + x 3 x 4 + x 5 x & + x 4 + x 5 

• CanFil 9, X2X4X5X7 + X2X5X6X7 + X3X4X6X7 + X1X2X4X7 + X1X3X4X7 + xix 3 x 6 X7 + X1X4X5X7 + 
X1X2X5X7 + X1X2X6X7 + X1X4X6X7 + X3X4X5X7 + X2X4X6X7 + X3X5X6X7 + X1X3X5X7 + X1X2X3X7 + 

X3X4X5 + X3X4X7 + X 3 X 6 X 7 + X 5 X 6 X7 + X 2 X 6 X 7 + XlX 4 X 6 + X1X5X7 + X2X4X5 + X2X3X7 + X1X2X7 + 
X1X4X5 + X 6 X 7 + X 4 X 6 + X4X7 + X5X7 + X 2 X 5 + X3X4 + X3X5 + X1X4 + x 2 x 7 + x 6 + x 5 + x 2 + Xl 

• CanFil 10, xix 2 x 3 + x 2 x 3 x 4 + x 2 x 3 x 5 + x 6 X7 + x 3 + x 2 + x\. 

In the experiments, we use our algorithms to find So = (so, s\, . . . , sl-i) by solving the 
following equations for given Cj, Zi, and / 

zt = /(st+k^st+ki ■ ■ -,s t +k m ),t = 0, 1,. . . , k (23) 

where k is a positive integer, Sj satisfy (21), and {k\, . . . , k m } is a tapping sequence. 

We compare four different algorithms for solving these equations. Two of them are 
the MFCS and GB. Faugere and Perret suggested to us that an incremental version of 
the Grobner basis algorithm is faster than GB for the equations generated by the LFSR. 
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Therefore, we also compare the incremental Grobner basis algorithm and the incremental 
TDCS, denoted IGB and ITDCS respectively. Note that the F5 method [17] and the CS 
method presented in [30] also use the incremental technique. 

Let HS be the field polynomials {x 2 + x±, . . . , x 2 + x n } and PS = {Pi, P2, ■ ■ ■ , Pk} be 
the input polynomials with Pi be the polynomial generated from the i-th output bit. Then 
we compute the IGB by the following codes in Magma: 

R<x\, . . . ,Xn >:=PolynomialRing(GF(2),n, "grevlex"); 

HS:=[R.i A 2+R.i: i in [l..Rank(R)]J; G:=HS; 

for i:=l to k do 

G:=G cat [PS.iJ; G:= GroebnerBasis(G); 

end for; 

G; 

We did three sets of experiments with increasing difficulties. The test problems are 
similar to those in [8] but are more difficult. We also compare our method with one of the 
benchmark implementations of the Grobner basis method on the same computer, which are 
not given in [8]. 

In the first set of experiments, we choose a simple tapping sequence {0, 1, 2, 3, 4, 5, 6} and 
the feedback polynomials for n = 40, 60, 81, 100, 128 are respectively x 40 + x 21 + x 19 + x 2 + 1, 
x 60 + x 1 + 1, x 81 + x 4 + 1, x 100 + x 37 + 1, x 128 + x 29 + x 27 + x 2 + 1. The results are given 
in Table 2, where L is the number of variables, k is the number of equations (see (23)). k 
is the smallest number such that the system has a unique solution, wp is the weight of the 
feedback polynomial P, and • means memory overflow. 

In the second set of experiments, we generate more difficult equations in the cases of 
L = 40 and k = 60 by changing the feedback polynomial to x 40 + x 35 + x 32 + x 27 + x 24 + 
x 19 + x 15 + x 12 + x 7 + x 1 + 1. The results are given in Table 3. 

In the third set of experiments, we generate more dense polynomial systems by changing 
the tapping sequence. The results are given in Table 4, in which L = 40, k = 55, the 
feedback polynomial is x 40 + x 37 + x 34 + x 21 + x 11 + x 5 + 1 and the tapping sequence is 
{0,6,11,18,25,31,37}. And * means that we have computed over 2 hours and did not 
obtain the solutions. 

From the experiments, we have the following observations. 

• From Table 2, we can see that for these "simple" examples, ITDCS is the fastest 
method. IGB and MFCS are also very efficient with MFCS better than IGB in 
most cases. GB tends to generate large polynomials and causes memory overflow. 

• From Table 3, we can see that for these "moderately difficult" polynomial systems, 
ITDCS is still the fastest method. Now, IGB performs better than MFCS. 

• From Table 4, we can see that for the "most difficult" polynomial systems, MFCS is 
the only algorithm that can find the solutions on our computer. IGB and GB quickly 
use all the memory and cause memory overflow. ITDCS has been run for two hours 
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Filters 


L(w/)= 


40 (5) 


60 (3) 


81 (3) 


100 (3) 


128 (5) 




MFCS 


0.10 


0.02 


0.07 


0.37 


0.49 




ITDCS 


0.10 


0.04 


0.05 


0.21 


0.37 


CanFill 


IGB 


0.42 


0.99 


2.29 


3.26 


8.32 




GB 


0.91 


0.43 


8.12 


3.61 


1997.2 




k 


52 


114 


154 


140 


230 




MFCS 


0.17 


0.03 


0.07 


0.59 


1.11 




ITDCS 


0.04 


0.02 


0.06 


0.19 


0.53 


CanFil2 


IGB 


0.43 


0.65 


1.61 


3.17 


7.13 




GB 


0.92 


30.65 


0.02 


55.09 


• 




k 


44 


72 


138 


140 


217 




MFCS 


0.17 


0.03 


0.07 


0.59 


1.11 




ITDCS 


0.14 


0.03 


0.23 


1.10 


0.72 


CanFil3 


IGB 


0.16 


0.96 


2.51 


6.04 


16.08 




GB 


178.57 


1.68 


• 


• 


• 




k 


64 


114 


162 


120 


128 




MFCS 


0.09 


0.05 


0.07 


0.83 


2.70 




ITDCS 


0.14 


0.09 


0.09 


2.91 


2.01 


CanFil4 


IGB 


0.17 


0.89 


1.99 


2.13 


10.26 




GB 


0.65 


2.24 


0.39 


• 


• 




k 


60 


168 


154 


150 


180 




MFCS 


0.03 


0.01 


0.03 


0.08 


0.12 




ITDCS 


0.04 


0.05 


0.11 


0.18 


0.59 


CanFil5 


IGB 


0.14 


0.37 


0.80 


1.59 


3.46 




GB 


0.10 


0.06 


0.10 


0.50 


0.85 




k 


40 


60 


81 


100 


128 




MFCS 


0.05 


0.04 


0.08 


0.11 


0.35 




ITDCS 


0.09 


0.04 


0.10 


0.29 


1.07 


CanFil6 


IGB 


0.08 


0.35 


0.80 


1.70 


5.28 




GB 


0.24 


0.09 


0.01 


0.65 


• 




k 


52 


108 


146 


160 


230 




MFCS 


0.05 


0.02 


0.08 


0.38 


0.70 




ITDCS 


0.03 


0.03 


0.08 


0.24 


0.42 


CanFil7 


IGB 


0.10 


0.81 


1.86 


3.32 


9.78 




GB 


0.27 


0.40 


0.01 


831.89 


• 




k 


40 


120 


154 


150 


218 




MFCS 


0.32 


0.08 


0.21 


0.61 


1.31 




ITDCS 


0.09 


0.06 


0.14 


0.25 


0.66 


CanFil8 


IGB 


0.13 


0.30 


1.26 


2.09 


6.11 




GB 


0.88 


0.56 


92.51 


20.03 


• 




k 


44 


60 


154 


140 


218 




MFCS 


2.94 


0.30 


0.64 


0.79 


15.31 




ITDCS 


0.45 


0.06 


0.24 


1.22 


1.28 


CanFil9 


IGB 


4.39 


5.13 


13.15 


17.78 


47.62 




GB 


• 


90.49 


• 


• 


• 




k 


48 


102 


113 


110 


218 




MFCS 


0.39 


0.06 


0.12 


1.40 


3.43 




ITDCS 


0.12 


0.04 


0.12 


0.57 


0.49 


CanFillO 


IGB 


4.48 


28.16 


50.87 


63.63 


100.39 




GB 


28.72 


2.21 


492.16 


• 


• 




k 


44 


90 


122 


140 


205 



Table 2. Examples with simple feedback polynomials and tapping sequences 
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Filter 


ITDCS 


MFCS 


IGB 


GB 


Canfill 


0.78 


2.44 


0.89 


55.73 


Canfil2 


0.47 


2.17 


0.66 


49.33 


Canfil3 


1.01 


8.10 


3.16 


• 


Canfil4 


0.99 


2.24 


0.62 


26.10 


Canfil5 


0.58 


2.80 


3.00 


• 


Canfil6 


0.58 


2.14 


2.81 


• 


Canfil7 


0.16 


0.35 


0.27 


16.64 


Canfil8 


0.26 


5.81 


0.34 


33.35 


Canfil9 


6.83 


75.62 


8.54 


• 


CanfillO 


0.70 


3.04 


4.87 


• 



Table 3. Examples with larger feedback polynomials 



Filter 


MFCS 


ITDCS 


IGB 


Canfill 


109.91 


* 


• after 10m 


Canfil2 


160.98 


* 


• after 8m 


Canfil3 


149.05 


* 


• after 28m 


Canfil4 


11.19 


* 


• after 60m 


Canfil5 


23.98 


* 


• after 4m 


Canfil6 


107.39 


* 


• after 6m 


Canfil7 


13.95 


* 


• after 37m 


Canfil8 


855.04 


* 


• after 60m 



Table 4. Examples with larger feedback polynomials and nontrivial tapping sequences 

without giving a result. The reason is that, in this case, ITDCS and IGB need to deal 
with some high degree and dense polynomials. On the other hand, due to Theorems 
5.4 and 5.8, the polynomials occurring in Algorithm MFCS are much smaller. 

In summary, Algorithm MFCS seems to be the most efficient and stable approach to deal 
with these kinds of polynomial systems. The main reason is that the size of the polynomials 
in this algorithm is effectively controlled due to Theorems 5.4 and 5.8. To use SZDD [33] 
to represent polynomials is another key factor in memory saving. Note that SZDD suits 
the CS method very well. The CS method will generate a large number of components and 
the polynomial sets representing different components differ only for a very few number of 
polynomials due to the way of generating new components (see Step 2.6.3 of Algorithm 4.3). 
Then different polynomial sets will share memory for their common polynomials, and as a 
consequence, the total memory consumption is well contained. 





Canfill 


Canfil2 


Canfil3 


Canfil4 


Canfil5 


Canfil6 


Canfil7 


Canfil8 


N c 


13749 


23881 


7251 


1657 


1086 


3331 


1551 


180710 


R ~ 


2 -26 


2-25 


2-27 


2-29 


2 -3u 


2-28 


2-29 


2 -24 



Table 5. The number of components for the examples in Table 4 
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For Algorithm MFCS, the bottle neck problem is how to control the number of compo- 
nents (that is, the number of polynomial sets in P* in the output of Algorithm MFTriSet). 
Theoretically, this number is exponential in the worst case. Practically, this number could 
also be very large. But, comparing to the number 2 n of exhaust search, the number of 
components generated in MFTriSet is still very small. In Table 5, we give the numbers of 
components for each example in Table 4. In this table, Nc is the number of components and 
R = could be considered as a measure of effectiveness of Algorithm MFTriSet. We can 
see that R is very small for all examples. 

6.3 Attack on Bivium-A 

Bivium is a simple version of the eStream stream cipher candidate Trivium [44] . It is 
built on the same design principles of Trivium. The intention is to reduce the complexity of 
Trivum, and to extend the attacks on Bivium to Trivium. Bivium has two versions Bivium- 
A and Bivium-B. Here we focus on attacking Bivium-A. There have been several successful 
attacks on Bivium-A, and we want to show that our algorithm is comparable with these 
algorithms. 

The Bivium-A is given by the following pseudo-code: 

for i = 1 to TV do 



(s 1 ,s 2 ,... 

(«94, $95, . . . , 



h 


<- 


sm + S93 


«2 




•S162 + S177 


Zi 


^~ 


fa 


fa 


<- 


fa + s 9 i • s 92 + sm 


fa 


<- 


fa + S175 ' + S69 


, S93) 




(t 2 ,s 1 , . . . ,s 92 ) 


S177) 


<— 


(ti, S94, • • • , S176) 



We want to recover the initial state (si, . . . , S177) from the given output bits (z±, . . . , zjv). 
Note that the degree of the equations will increase after several clocks. In order to avoid this 
problem, we can introduce two new variables and two equations for each clock: 

•5178 =^66 + S93 + S91 • S 92 + S171 (24) 
S179 =Sl62 + S177 + S175 • Si 76 + S 69 (25) 

Then we can obtain a Boolean polynomial system with 2N + 177 variables and 3N equations. 
The results of the successful attacks on Bivium-A [32, 36, 37] 1 ) is given in Table 6. 



Method 


Graph for sparse system 


SatSolver 


Grobner Basis 


Time 


"about a day" 


21 sec 


400 sec 


Output Bits 


177 


177 


2000 



Table 6. The known results for Bivium-A 



'In [37], they give four different results by solving in different ways. Here we only list the result by adding 
new variables but without guessing any variables. 
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In our experiments, we use the algorithm MFCS and the equations are generated by 
adding two new variables for each clock. We run MFCS on a sample of 100 different random 
initial states. We observed that the different initial keys make a great difference to the results. 
For every initial state, we can find a number M. When the number of output bits N is not 
less than M, the equations can be solved within one minute. When N becomes much bigger, 
the running time will increase slowly. However, if N is less than M, the running time will 
be much longer than one minute. From our experiment results, the value of M is from 200 
to 700. In our experiments, we set N = 700. 

The average time for solving the problem by MFCS with 700 output bits is 49.3 seconds. 
We also tried to use GB to solve the same sample by the same computer. The equations are 
also generated by adding two variables for each clock. In order to solve the equations, we 
need 1700 output bits. If the output is less than 1700 bits, the memory will be exhausted. 
For N = 1700, the average time for solving the problem by GB is 303.3 seconds. If we set 
N = 2000 as in [37], the average time is 521.6 seconds. From the results, we can see that 
our algorithm is comparable with the known successful algorithms in this problem. 

7. Conclusions 

In this paper, we present two algorithms TDCS and MFCS to solve nonlinear equation 
systems in finite fields based on the idea of characteristic set. Due to the special property of 
finite fields, the given algorithms have better properties than the general characteristic set 
method. In particular, we obtain an explicit formula for the number of solutions of an equa- 
tion system, and give the bitsize complexity of Algorithm TDCS for Boolean polynomials. 
We also prove that the size of the polynomials in MFCS can be effectively controlled, which 
allows us to avoid the expression swell problem effectively. 

We test our methods by solving polynomial systems generated by the Boolean matrix 
problem, stream cipher Bivium-A and stream ciphers based on nonlinear filter generators. 
All these equations have block triangular structure. Extensive experiments show that our 
methods are efficient for solving this kind of equations and Algorithm MFCS seems to be 
the most efficient and stable approach for these problems. 

The experiments are only done for Boolean polynomials in this paper. It our future 
work to see whether the algorithms proposed in this paper can be developed into practically 
efficient software packages for finite fields other than F2. It is expected that elimination 
techniques developed in previous work on CS methods will also be needed. 

Acknowledgements. We want thank the anonymous referees for helpful comments and 
suggestions. 
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